# Protection Mechanism Failure (CWE-693)

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

**Stack:** JavaScript

- Prevalence: Alta Frecuentemente explotada
- Impact: Alto 1 reglas de severidad alta
- Prevention: Documentada 8 ejemplos de corrección

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.

## Prevention

Estrategias de prevención para Protection Mechanism Failure basadas en 1 reglas de detección de Shoulder.

### JavaScript

Add Helmet middleware to set security headers automatically

## Warning Signs

- [HIGH] Application lacks security headers middleware (helmet, CSP, HSTS, X-Frame-Options, etc.).
Without these headers, the app
- [HIGH] missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing

## Consequences

- Eludir mecanismo de protección
- Ejecutar código no autorizado
- Obtener privilegios

## Mitigations

- Implementa múltiples capas de seguridad (defensa en profundidad)
- Usa mecanismos de seguridad estándar de la industria y probados en lugar de implementaciones personalizadas
- Asegúrate de que los mecanismos de protección no puedan ser eludidos ni desactivados

## Detection

- Total rules: 8
- Languages: dockerfile, go, javascript, typescript

## Rules by Language

### Javascript (1 rules)

- **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing.
  - Remediation: Install and configure helmet middleware:

1. Install: npm install helmet
2. Import: const helmet = require('helmet');
3. Enable: app.use(helmet());

Example:
  const express = require('express');
  const helmet = require('helmet');
  const app = express();
  app.use(helmet());

### Typescript (1 rules)

- **Security Headers in Express.js** [HIGH]: Detects missing security headers middleware (Helmet) to prevent XSS, clickjacking, and MIME sniffing.
  - Remediation: Install and configure helmet middleware:

1. Install: npm install helmet
2. Import: const helmet = require('helmet');
3. Enable: app.use(helmet());

Example:
  const express = require('express');
  const helmet = require('helmet');
  const app = express();
  app.use(helmet());